To prevent hacking, disable Universal Plug and Play now

Security experts are advising that a networking feature known as Universal Plug and Play be disabled on routers, printers, and cameras, after finding it makes tens of millions of Internet-connected devices vulnerable to serious attack.

UPnP, as the feature is often abbreviated, is designed to make it easy for computers to connect to Internet gear by providing code that helps devices automatically discover each other over a local network. That often eliminates the hassle of figuring out how to configure devices the first time they're connected. But UPnP can also make life easier for attackers half a world away who want to compromise a home computer or breach a business network, according to a white paper published Tuesday by researchers from security firm Rapid7.

Over a five-and-a-half-month period last year, the researchers scanned every routable IPv4 address about once a week. They identified 81 million unique addresses that responded to standard UPnP discovery requests, even though the standard isn't supposed to communicate with devices that are outside a local network. Further scans revealed 17 million addresses exposed UPnP services built on the open standard known as SOAP, short for simple object access protocol. By broadcasting the service to the Internet at large, the devices can make it possible for attackers to bypass firewall protections.

"Unfortunately, the realities of the consumer electronics industry will leave most systems vulnerable for the indefinite future," the Rapid7 white paper warned. "For this reason, Rapid7 strongly recommends disabling UPnP on all Internet-facing systems and replacing systems that do not provide the ability to disable this protocol."

In all, Rapid7 identified 6,900 products sold by 1,500 separate vendors that contained at least one UPnP vulnerability. Rapid7 CTO HD Moore told Ars home networks that connect UPnP-enabled devices are generally safe as long as the firewall included in the Internet-facing router is enabled and working properly. The problem is that many routers include vulnerable implementations of UPnP, in which case they provide an easy way for attackers to get around that protection.

"The main message for consumers is make sure your router is locked down," Moore said.

The wider range of devices in business networks and their increased susceptibility to attacks from insiders makes enterprises more vulnerable, he added. A few hours after the white paper was released, Moore said, his team discovered a popular device that modified firewalls to allow outside connections to the port it was running on. Rapid7 has released a free scanner for Windows users that identifies vulnerable network devices. Users of non-Windows computers can access the open-source Metasploit software framework to do the same thing.

The Rapid7 white paper came the same day Cisco Systems announced a fix for a vulnerability in a UPnP software development kit.

This is only a danger for people with no firewall / NAT or who allow other routers and switches to subnet directly into their LAN.

There are a number of articles describing how many UPnP capable routers don't check if an IP is internal before opening the ports. You can knock from the outside to open say, 3389 and scan through the typical LAN addresses to see if anyone is home.

http://www.upnp-hacks.org/igd.htmlSome stacks don't check if the NewInternalClient parameter is actually an IP address on the LAN. Those stacks make it possible to specify a routable IP address instead of a private LAN address. The firewall on the router will perform NAT on the incoming packets for the specified port and protocol and send it to whatever NewInternalClient specified. If this is an external IP address which is not on the LAN the packets will be sent there when someone connects to the router from the WAN. The router is effectively turned into an involuntary onion router, since nearly all devices have remote logging via syslog turned off by default and connections are hard to track this way.

My question, like those of others posting above, was "my gadget is on a network using an RFC 1918 address space, and behind a NAT router. Unless I've added port forwarding, how the hell would anyone from outside be able to talk to my printer?!?"

I found the answer in the Wikipedia article on UPnP: "Many routers and firewalls expose themselves as Internet Gateway Devices, allowing any local UPnP control point to perform a variety of actions, including retrieving the external IP address of the device, enumerate existing port mappings, and add or remove port mappings. By adding a port mapping, a UPnP controller behind the IGD can enable traversal of the IGD from an external address to an internal client."

So, people build routers, on purpose, that silently expose internal devices to the Internet?!? AAaarrgghh! I s'pose those are for the "I just want it to work" crowd.

The lesson for the rest of us is to disable all UPnP capability in our routers. {sigh}

For anyone who doesn't want to read the 29 page article, the main thing they found was that routers were advertising UPnP SSDP (the directory that tells you what UPnP devices are available) service to the internet.

If it comes up as stealth, then your router doesn't have this problem. It doesn't mean UPnP services within your network aren't opening up other security holes, but it does mean your router isn't suffering from this problem.